The federal government paid multinational consulting firm McKinsey more than $1.3 million across five weeks to work on its upcoming cyber security strategy.
It was revealed during Senate Estimates this week that McKinsey was awarded a contract extension running from 24 April to 31 May worth $1.34 million to work on the development of the government’s 2023-2030 Cyber Security Strategy, which will be unveiled imminently.
The Department of Home Affairs did not go to the market for this work, which equated to McKinsey being paid $35,000 per working day across the five weeks.
McKinsey was first awarded the contract in February, with the consulting firm paid $864,000 across two months.
This tender was only open for one week, with one other company applying for the work.
McKinsey was then awarded the $1.34 million extension to “extend the value of work being undertaken by the department”, including the analysis of policy issues and submissions, and a “whole range of analytical and support work”, a Home Affairs representative told the Senate Estimates hearing.
This piece of work did not go out for tender, but a Department representative said value for money was considered as part of it.
In total, the federal government paid McKinsey $2.1 million across just over three months earlier this year to work on its cyber strategy.
After the first extension was finished, the Department opted to not extend it again and instead took a “different course of action”, the Estimates hearing was told.
Across this contract, staff from McKinsey met with Home Affairs Minister Clare O’Neil 22 times.
O’Neil announced late last year that the Labor government will be developing a new cyber strategy, primarily in response to the high profile hacks of Optus and Medibank.
An Expert Advisory Board was stumped up to provide advice on the strategy, with its members including ex-Telstra CEO Andrew Penn, Air Marshal Mel Hupfeld and Cyber Security Cooperative Research Centre CEO Rachael Falk.
This advisory group met with McKinsey staff eight times earlier this year. It will not be delivering a final report to government, the Estimates hearing heard, and has instead provided “iterative” advice.
O’Neil has said the new strategy will provide the “step-change Australia needs to improve our national resilience to cyber threats and properly address the consequences of cyber incidents”.
The Minister recently outlined key elements of the strategy at the AFR Cyber Summit, saying it will include six “cyber shields” involving citizens, businesses and government.
“These shields will help protect our businesses, our organisations and our citizens, and it will mean that we won’t be alone or in our silos trying to manage this problem,” O’Neil said.
“It will mean a cohesive, planned national response that builds to a more protected Australia.”
The six “shields” include the long-term education of citizens and businesses, safer technology, a world-class threat sharing and blocking system, protecting critical infrastructure, sovereign capability through cyber skills and undertaking coordinated global action, and pushing for a more resilient region.
The strategy will be delivered in two-year blocks, with the first to run until 2025 and be about “building out strong foundations”, O’Neil said.
The Expert Advisory Board released a discussion paper earlier this year, outlining how the current “patchwork of policies, laws and frameworks” are “not keeping up with the challenges presented in the digital age”.
The federal government has also recently appointed a National Cyber Security Coordinator and launched a “hack the hackers” collaboration with the Australian Federal Police and the Australian Signals Directorate (ASD).
Earlier this week tech giant Microsoft announced it will be spending $5 billion on Australian digital infrastructure, including working with the ASD on a cyber security program.
